In recent years, there are many damages caused by online banking frauds using malware, which has an MITB (Man-in-the-browser) attack function. An MITB attack is an attack of intercepting communication between a terminal user and a Web server to steal and falsify the communication contents. Malware such as ZBot and SpyEye has an MITB attack function and, by intercepting communication between an infected terminal and an online bank to falsify communication data, conducts attacks such as manipulation of the amount of remittance and display of a fake input form.
Malware such as ZBot employs a system in which communication data to be targeted by the MITB attack can be specified by a setting file. Therefore, the target of the MITB attack is not limited to online banking, and the attacker can conduct an attack on communication data between an infected terminal and a targeted Web server. The setting file is provided on a C&C (Command and Control) server, and malware recognizes the target of a falsifying attack and the falsification contents by communicating with the C&C server and acquiring the file. Thereafter, in the case of malware such as ZBot, a falsifying attack is conducted by using API (Application Programming Interface) hooking. For example, by hooking an API related to transmission and reception of communication data, a falsifying attack on communication data before encrypting or after decoding is conducted. When an API is under such attack, it is not possible to block such falsifying attack only by protecting its communication path with an SSL.
When countermeasures against such threats are to be taken, it is ideal to prevent malware infection itself. However, the methods for conducting infectious attacks are more sophisticated year by year, and it has been difficult to prevent such infection beforehand. Therefore, it is essential to take countermeasures against such threats on an assumption that user terminals will be infected with malware.
There are mainly two methods for taking countermeasures on a client side after being infected with malware. One of the methods is a method for protecting a process as an attacking target so as to prevent API hooking and the like from being conducted, and the other one is a method for blocking acquisition of a setting file that specifies a falsifying target and contents. If API hooking can be prevented from being conducted, occurrence of falsification can be prevented beforehand. However, securely realizing this prevention in a malware-infected state is difficult. Meanwhile, in the case of the method for blocking acquisition of a setting file, because countermeasures can be taken on a network, even if a terminal is infected with malware, these countermeasures can be taken. However, in this case, the IP (Internet Protocol) address and the like of a C&C server that distributes the setting file need to be acknowledged beforehand.
Generally, malware analysis is performed to collect an IP address and the like of a C&C server beforehand. As a method for automatically specifying a C&C server with malware analysis, a method for specifying a C&C server based on a passing relation of communication data between system calls has been proposed in Non Patent Literature 1. This method focuses on a passing relation of data between system calls appearing only when malware communicates with a C&C server, and has a characteristic that the number of times of erroneous detection is small. However, when there is no apparent characteristic of a passing relation of data between system calls, any detection cannot be performed.
Furthermore, as an analysis method of malware that conducts an MITB attack, there has been proposed another method in Non Patent Literature 2. The method in Non Patent Literature 2 is advantageous in characteristics such that malware is analyzed without causing influences on a Web server, and detection of falsification and specification of a falsified location can be performed. However, this method does not realize specification of a C&C server that has specified falsification contents.